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[57] ABSTRACT 

A generic communications network provides an encrypted 
communications interface between service networks and 
their subscribers. When communications are initiated 
between a subscribing communications terminal and the 
generic network, the terminal compares a stored network 
identifier associated with a stored public key, with a unique 
identifier broadcast by the generic network. If a match is 
found, the terminal generates a random secret key, encrypts 
the secret key with the stored public key, and transmits the 
encrypted secret key. The generic communications network 
decrypts the secret key using a private key associated with 
the public key. The secret key is used thereafter by the 
terminal and the generic network to encrypt and decrypt the 
ensuing radio traffic. Consequendy, the network can main- 
tain secure communications with the terminal without ever 
knowing the terminal's identity. 

46 Claims, 3 Drawing Sheets 
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METHOD AND APPARATUS FOR 
ENCRYPTING RADIO TRAFFIC IN A 
TELECOMMUNICATIONS NETWORK 

BACKGROUND OF THE INVENTION 

1. Technical Field of the Invention 

The present invention relates generally to the field of 
wireless radio communications and, in particular, to a 
method and apparatus for encrypting radio traffic between 
terminals and a mobile communications network. 

2. Description of Related Art 

The need for increased mobility and versatility in tele- 
communications networks requires the networks to cover 
larger geographical areas and provide a broader range of 
telecommunications services to subscribers. These telecom- 
munications services include teleservices and bearer ser- 
vices. The teleservice provides the necessary hardware and 
software for a subscriber to communicate with another 
subscriber (e.g., terminal, etc.). The bearer service provides 
the capacity required to transmit appropriate signals between 
two access points (e.g., ports) that provide an interface with 
a network. Telecommunications services can be provided to 
subscribers by a number of service networks, such as, for 
example, public land mobile telecommunications networks 
(PLMNs), public switched telephone networks (PSTNs), 
integrated services digital networks (ISDNs), the so-called 
"Internet" access networks, video on demand (VOD) 
networks, and other proprietary service networks. 

In response to the need for increased mobility and 
versatility, a new mobile radio telecommunications network 
is being developed, which has a generic interface through 
which a service network subscriber can be connected with 
that service network regardless of the subscriber's geo- 
graphic location. This generic mobile radio network is 
referred to as the "Generic Access Network" (GAN). In 
order to more readily understand the present invention, 
which deals primarily with encrypting communications traf- 
fic between terminals and a GAN, a brief description of such 
a GAN is provided below with respect to FIG. 1. 

FIG. 1 is a perspective view of an exemplary GAN 
connected to a plurality of service networks and service 
network subscribers. The GAN (10) illustrated by FIG. 1 
includes an access network interconnected with a transport 
network. The access network includes a plurality of base 
stations (e.g., BS1 and BS2). Each base station includes a 
radio transmitter and receiver that provides communications 
coverage for a respective geographical area (e.g., a so-called 
cell, CI and C2). The base stations are connected to a radio 
network controller (RNC) 12. Although not shown 
explicitly, certain of the base stations can be connected to 
RNC 12 (e.g., BS1 and BS2), and certain other of the base 
stations can be connected to one or more other RNCs. A 
plurality of the RNCs can be interconnected to provide a 
communications path therebetween. The RNCs distribute 
signals to and from the connected base stations. 

A plurality of service networks (e.g., VOD network, 
PLMN, PSTN, Internet) are connected through respective 
access input ports (14, 16, 18, 20, 22, 24 and 26) to the 
access network of GAN 10. Each service network uses its 
own standard signaling protocol to communicate between its 
internal signaling nodes. For example, the Global System for 
Mobile communications (GSM), which is a digital cellular 
PLMN that has been fielded throughout Europe, uses the 
Multiple Application Part (MAP) signaling protocol. As 
illustrated by FIG. 1, the RNCs in the access network are 
connected through at least one of the access input ports to a 
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service network. As shown, RNC 12 is connected through 
access ports 20 and 24, respectively, to the PLMN and PSTN 
service networks. 

Mobile terminals 28 and 30 are located within the radio 

s coverage area of GAN 10, and can establish a connection 
with each of the base stations (e.g., BS2) in the access 
network. These mobile terminals can be, for example, a 
cellular phone, mobile radiotelephone, personal computer 
(notebook, laptop, etc.) possibly connected to a digital 

10 cellular phone, or mobile television receiver (for VOD). 
Signal transport between a mobile terminal and a selected 
service network takes place over specified signal carriers. 
For example, signals are transported between the cellular 
phone (28) and the PLMN service network over signal 
carriers SCI and SC2. 

15 The mobile terminals (e.g., 28 and 30) include an access 
section and service network section. The access section of a 
mobile terminal is a logical part of the access network and 
handles the signaling required to establish the signal carrier 
(e.g., SC2 and SC4) between the mobile terminals and RNC 

20 12. The service network section of a mobile terminal is a 
logical part of the service network to which that terminal's 
user subscribes. The service network section of a mobile 
terminal receives and transmits signals, in accordance with 
the specified standards of its related service network, via the 

25 established signal carriers SCI and SC2 (or SC4). The radio 
interface portion of the signal carrier SC2 or SC4 (between 
the mobile terminal and base station) can be time division 
multiple access (TDMA), code division multiple access 
(CDMA), or any other type of multiple access interface. 

30 The service network subscribers can access their respec- 
tive service network through the GAN. The GAN provides 
a signal carrier interface that allows a message to be trans- 
ported transparently over a signal carrier (e.g., SCI and 
SC2) between the service network part of a mobile terminal 

35 and its service network. The GAN accomplishes this func- 
tion by matching the characteristics of the signaling con- 
nections and traffic connections of all of the service net- 
works that connect to it. Consequently, the GAN can extend 
the coverage of existing service networks and also increase 

40 the subscribers' degree of mobility. 

A unique characteristic of a GAN is that it has no 
subscribers of its own. The mobile users of the GAN are 
permanent subscribers to their own service networks, but 
they are only temporary users of the GAN. Consequently, a 

45 GAN does not know (or need to know) the identity of these 
users. However, a problem arises in attempting to encrypt 
radio traffic between the mobile terminals and the GAN. 

Radio traffic (e.g., speech information or data) between 
mobile terminals and base stations is typically encrypted to 

50 ensure that the information being passed remains confiden- 
tial. Although some service networks (e.g., GSM) encrypt 
traffic, most other service networks do not. Consequently, a 
GAN should be capable of encrypting traffic for those 
service networks that do not have that capability. However, 

55 since a GAN does not know the identity of its users (the 
service network subscribers), it must be capable of encrypt- 
ing radio traffic using encryption keys that are created 
without knowing a subscribing terminal's identity or authen- 
ticity. Unfortunately, most existing mobile communications 

60 networks use encryption techniques that generate encryption 
keys by using authentication parameters. In other words, to 
encrypt radio traffic in a conventional mobile communica- 
tions network, the user terminars identity must be known. 

65 SUMMARY OF THE INVENTION 

It is an object of the present invention to encrypt com- 
munications between a mobile terminal and a communica- 
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lions network without requiring the network to know the 
identity of the terminal. 

It is also an object of the present invention to encrypt 
communications between a plurality of mobile terminals and 
a communications network without requiring the network to 
maintain individual encryption keys for each of the termi- 
nals. 

It is another object of the present invention to encrypt 
communications between a mobile terminal and a commu- 
nications network without requiring the terminal to perma- 
nently store a secret encryption key. 

It is yet another object of the present invention to mini- 
mize call setup time, minimize transmission delays, and 
maximize data throughput, while encrypting communica- 
tions between a mobile terminal and a communications 
network. 

In accordance with one aspect of the present invention, a 
method is provided for encrypting communications between 
a communications network and a communications terminal, 
by storing a public key associated with the network at the 
terminal, generating a secret key at the terminal, encrypting 
the secret key with the stored public key at the terminal, 
transmitting the encrypted secret key from the terminal, 
receiving the encrypted secret key at the network, decrypting 
the received encrypted secret key with a private key, where 
the private key is associated with the public key, and 
encrypting the ensuing traffic with the secret key. If a public 
key has not been stored at the terminal, then the terminal 
transmits a request to the network for a public key. As such, 
the network is not required to know the identity of the 
terminal in order to maintain encrypted communications 
with the terminal. 

In accordance with another aspect of the present 
invention, the foregoing and other objects are achieved by a 
method and an apparatus for encrypting traffic between a 
communications network and a communications terminal by 
broadcasting a (asymmetric) public key from the network. 
The public key is received by the terminal. The network 
maintains a private key that can be used to decrypt infor- 
mation encrypted with the public key. The terminal gener- 
ates and stores a naturally occurring random number as a 
secret session (symmetric) key, encrypts the symmetric 
session key with the public key, and transmits the encrypted 
session key to the network. The network decrypts the session 
key with the private key, and both the network and terminal 
encrypt the ensuing communications with the secret session 
key. Again, the communications network is not required to 
know the identity of the terminal in order to maintain 
encrypted communications with the terminal. 

BRIEF DESCRIPTION OF THE DRAWINGS 

A more complete understanding of the method and appa- 
ratus of the present invention may be had by reference to the 
following detailed description when taken in conjunction 
with the accompanying drawings wherein: 

FIG. 1 is a perspective view of an exemplary generic 
access network connected to a plurality of service networks 
and service network subscribers; 

FIG. 2 is a top level schematic block diagram of a generic 
access network in which a method of encrypting radio traffic 
between service networks and service network subscribers 
can be implemented, in accordance with a preferred embodi- 
ment of the present invention; 

FIG. 3 is a schematic block diagram of the access network 
illustrated in FIG. 2; 
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FIG. 4 is a sequence diagram that illustrates a method that 
can be used to encrypt radio communications between a 
generic access network and a terminal, in accordance with a 
preferred embodiment of the present invention; and 
5 FIG. 5 is a block diagram of a method that can be used to 
certify the authenticity of a public key and the owner of the 
key with a digital signature, in accordance with a preferred 
embodiment of the present invention. 

10 DETAILED DESCRIPTION OF THE DRAWINGS 

The preferred embodiment of the present invention and its 
advantages are best understood by referring to FIGS. 1-5 of 
the drawings, like numerals being used for like and corre- 

i5 sponding parts of the various drawings. 

Essentially, in accordance with a preferred embodiment of 
the present invention, a mobile terminal stores at least one 
public key, along with a unique identification character of at 
least one GAN associated with that public key, in a memory 

20 location. A GAN continuously broadcasts its unique identi- 
fication character in all cells connected to that GAN. When 
contact is initiated between the terminal and that GAN, the 
terminal compares the received identifier with the stored 
identifiers), and if a match can be made, the terminal 

25 generates a random secret key, encrypts the secret key with 
the public key associated with that GAN's identifier, and 
transmits the encrypted secret key. The GAN decrypts the 
secret key using a private key associated with the public key. 
The secret key is used thereafter by the terminal and the 

30 GAN to encrypt and decrypt the ensuing radio traffic. 
Notably, the GAN can maintain secure communications 
with the terminal without ever knowing the terminal's 
identity. Furthermore, since the GAN does not need to know 
the identity of such a terminal, the GAN is not required to 

35 maintain a database of individual terminal encryption keys. 
Additionally, the terminal is not required to store its own 
secret key, because it can generate a new secret key for each 
communications session. 

FIG. 2 is a top level schematic block diagram of a generic 

40 access network in which a method of encrypting radio traffic 
between service networks and service network subscribers 
can be implemented, in accordance with a preferred embodi- 
ment of the present invention. A GAN 100 is shown, which 
includes a transport network 102 interconnected with an 

45 access network 104. A plurality of service networks (e.g., 
PLMN, ISDN, PSTN, INTERNET, VOD) are connected 
through respective access ports (e.g., 106, 108, 110, 112, 
114) to transport network 102 and access network 104. 
Access network 104 includes a plurality of RNCs and 

50 associated base stations (e.g., RNC(1)-RNC(N)). The plu- 
rality of RNCs and associated base stations are connected by 
a respective radio interface to a plurality of mobile trans- 
ceivers (terminals) 116, 118, 120 and 122. A user of each 
mobile terminal is a subscriber to at least one of the service 

55 networks PLMN, etc. The mobile terminals can communi- 
cate with their respective service networks in the manner 
described above with respect to FIG. 1. More specifically, 
the RNCs control communications between the terminals 
and their respective service networks. Notably, although a 

6 0 plurality of mobile terminals (116, etc.) are shown in FIG. 2, 
this is for illustrative purposes only. One or more fixed radio 
terminals may also be connected to GAN 100 and are thus 
capable of corrimunicating with at least one of the service 
networks. 

65 FIG. 3 is a schematic block diagram of access network 
104 illustrated in FIG. 2. Access network 104 includes a 
plurality of RNCs (e.g., RNC(1)-RNC(N)). However, 
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although a plurality of RNCs is shown for this embodiment, that stored public key is unsuccessful, the terminal then 

the present invention can be implemented with only one sends a request to the GAN for a new public key. This 

RNC. At least one service network (e.g., 130, 132, 134) is technique advantageously increases network throughput, 

connected through at least one respective access port (e.g., because a network channel is not tied up transmitting a 

API, AP(N-l), AP(N)) to at least one RNC. At least one s public key. However, if a public key has not been stored 

base station (e.g., BS(1), BS(N)) is connected to a respective frora a past with a part icular GAN, the terminal can 

RNC (e.g., RNC(l), RNC(N)). Although a plurality of base stin receive me public key by reqll esting it from the GAN 

stations is shown, the present invention can be implemented ^ using {l to cncrypt a sccret kcy ^ win bc u&cd fof thc 

with only one base station. ensuing session. In any event, by storing the relatively large 

A mobile terminal (e.g., cellular phone 118) is connected 10 (bjt-wise) public keys in the terminal, as opposed to trans- 

by a radio interface to base station BS(1). It should be mittiog them from the GAN, radio transmission delays can 

readily understood that one terminal (118) is shown for 5e rcduced significantly, a substantial amount of network 

illustrative purposes only and that one or more additional transmission time can be saved, and data throughput will be 

terminals could be shown. The RNCs (e.g., RNC(1)-RNC increased 

(N)) arc interconnected by communications lines (136, 138) 15 FIQ 4 a]so a method ^ ca[| be used ^ , 

for communications therebetween. Consequently termmal ^ communications betweeD , ric access network 

118 can establish communication with any of the service &nd & mobile in accordance with another embodi . 

B V?^Ji&',3 J. 'J , I U T gh ne,W ° r Vr ™« °f ^ P«*°' For example, when commu- 

and GAN 100 (FIG. 2). Notably, the coverage provided for nications ^ desired between a SHvfcc ne(work and a 

each service network can be enlarged by swiching to a M tenninaJ(e . g . )PLMNaadtermillam8))theservicen6 t work 

different access port of access network 104. In other words Qr ^ ^ .^.^ communications ^ , caU set 

I™™* 1 "-8 ^ n . communic f 7 th £™ X 2 messa g e - At ste P 202 ' " the initial connection between the 

tough RNC(1), mterconaecung line 136, and I RNOfN-l) . gaN and the terminal is established, the service network 

Alternatively, if service network 132 is switched to access can ^ ^ ^ traffic ^ bc ted If 

port AP(1) termmal 11« leu communicate with service „ &( ^ ^ ^ ^ ^ 

network 132 through RNC(1). tennina , recejves a ^ key which is ^^^y broad . 

FIG. 4 is a sequence diagram that illustrates a method that cas , from Qne 0f mofe base statioDS ( BS(1)-BS(N)). 

can be used to encrypt radio communications between a . ... „ . . _..„ ... . 

generic access network and a terminal, in accordance with a embodiment, all o the RNCs maintain at least one 

preferred embodiment of the present invention. The method 30 P ubhc key/pnvate key pair (the same pur in every RNC) in 

^ AA - .. . \. u • **u r-AM^ a memory storage location. The public key that was broad- 

200 of encrypting communications can begin at the GAN or . ,/ PAK 6 r . , , f. t . J t /i1 c . ... . 

4l _ . .it- i • u j* . . . lA/i cast by the GAN is received by the terminal (118) that has 

the terminal. For example, in this embodiment, at step 204, 4 t 4 , 4 «/ XT n f U1 \ V 

the GAN (e.g., 10) continuously broadcasts a unique iden- m ' Uated ^ ^ that p rf bom toe call 

tification character in all cells connected to that GAN. The setup procedure and the procedure to transfer the public ^key 

. W 11Q x 4 . ^ „«u#m. ™ „ is performed by an RNC, which is connected through an 

terminal (e.g., 118) contains a non-volatile memory located 35 v A t ' . . 4 t/ nxir>/i\ 

-oakt *■ f*u * • 1 ♦ ■ j^.t!..,* access port to the service network of interest (e.g., RNC(l) 

in a GAN section of the terminal. The terminal stores at least An /i W dtuxti^ aw *• 1 u */• / 

, , ... rt „, A . l to AP(1) to PLMN 130). Alternatively, a base station (e.g., 

one public key in the non-volatile memory. Along with each v ' _\ . . v ? 

publte key, the terminal also stores a respective expiration maintain pubhe/pnvate key pairs 

date for the key, and a GAN identification character that and br ° adcast or otherw,se transfer a P ubhc ke y 10 a 

identifies a specific GAN associated with that key. In other 4Q ermma • 

words, each public key stored in the terminals memory is The RNC can broadcast the public key in all cells in the 

thereby associated with a specific GAN. The terminal ini- RNCs coverage area. ConsequenUy, since the GAN broad- 

tiates contact by registering with a GAN (but not necessarily casts the public key instead of having the terminal request 

setting up a call). A processor in the terminal compares the we key from the GAN, the terminal can register with the 

received GAN identifier with the stored identifiers, and if a 45 CAN much faster, and a call can be set up in a substantially 

match can be made (and the key has not expired), the shorter period of time. Alternatively, instead of broadcasting 

processor retrieves the stored public key associated with the the public key in a plurality of cells, the RNC can transfer 

identified GAN. However, in the event that no such match the public key directly through the base station that has 

is found, the terminal sends a request for the GAN to established contact with the terminal. However, the method 

transmit a public key. The transmitted public key (and its 50 of broadcasting the public key in a plurality of cells before 

expiration date) is stored in the terminal and can be used to call setup advantageously decreases the load on the GAN's 

encrypt a secret key in the current and ensuing communi- dedicated traffic channels. 

cation sessions. For all embodiments, as long as the terminal is registered 

At step 206, the terminal generates a (symmetric) secret with the GAN, the same public key can be used for all 

key (described in detail below). At step 208, the terminal ss subsequent communications with that GAN, because the 

uses the retrieved public key to encrypt the secret key. At same key is stored at the GAN and also at the terminal, 

step 210, the terminal transmits the encrypted secret key to Alternatively, the public key can be changed periodically in 

the identified GAN, At step 212, the GAN decrypts the accordance with a predetermined scheme or algorithm, or 

secret key, which, at step 214, is used by the GAN and the even at the whim of the GAN operator. If an operator desires 

terminal for encrypting traffic during the ensuing commu- 60 to change public keys periodically, storing each public key's 

nications session (described in detail below). expiration date at the terminal facilitates their use in that 

Alternatively, at the end of a session with a GAN, the regard. Furthermore, in the preferred embodiment, when the 

terminal stores the public key used for that session. When public key is changed, it can be broadcast by the GAN for 

the terminal or a GAN begins a new communications a predetermined period of time, to minimize the number of 

session, the terminal retrieves the public key stored from the 65 terminal requests for a new public key. 

last session with a GAN, and uses that public key to encrypt As described earlier, at step 202, the GAN can maintain 

a secret key to be used for the ensuing session. If the use of one or more asymmetric public key/private key pairs. In that 
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event, a so-called "RSA Algorithm" can be used to create the implemented by transmitting a "session key change request" 

public key/private key pairs. The RSA Algorithm combines message, or by setting a "session key change request" bit in 

the difficulty of factoring a prime number with the ease of the header of a transmitted message, 

generating large prime numbers (using a probabilistic Additionally, shorter session keys can be generated and 

algorithm) to split an encryption key into a public part and 5 less complicated encryption algorithms can be used with the 

a private part. pseudorandom number generation method described above. 

Specifically, assuming that the letters P and Q represent Consequently, a substantial amount of processing power can 

prime numbers, the letter M represents an unencrypted be saved in the GAN and especially in the terminal. The 

message, and the letter C represents the encrypted form of terminal can be configured to select the length of the session 

M, the RSA Algorithm can be expressed as follows: ™ key to be used, in order to address trade offis between 

security and computational requirements. For example, the 
terminal's processor can select the length of a secret session 

M c mod pq— c (encrypted message m) (l) k ey by generating a session key at that length, or by 

,>o w/j r-, ,n\ specifying the number of bits to be used from the output of 

C" mod PQ->M (decrypted message C) (2) ( T , * . * i • i ■ 

15 the pseudorandom number generator. Alternatively, the ter- 

where the term (DE-1) is a multiple of (P-1)(Q-1). In this minal can specify the range of the output of the pseudoran- 

embodiment, the exponent E is set to 3. The private and dom number generator to set a predetermined length, 

public keys are each composed of two numbers. For Other alternative methods may be used to generate a 

example, the numbers represented by (PQ, D) make up the pseudorandom number for a secret session key. For 

private key, and the numbers represented by (PQ, E) make 20 example, using a "Lagged Fibonacci" type of pseudorandom 

up the public key. Since the same value for E is used number generator, the n** number in the pseudorandom 

consistently, only the PQ portion of the number need be sent number sequence, N„, can be calculated as follows: 
on request or broadcast and used for the public key (e.g., at 
step 204). By knowing the private key, any message 

encrypted with the public key can be decrypted. 25 ^-(^-^-i) ™* m ( 3 ) 

Returning to FIG. 4 at step 206, the terminal (U8) where k and 1 are the so-called lags, and M defines the range 

receives and/or stores the asymmetric pub ic key. The ter- of the pseudorandom numbers t0 be generated. For optimum 

minal generates a random symmetric secret key. The random ^ ^ x t { should be between 1Q00 and 1QQ00 . 

secret key which is used to encrypt communications pref- If a relativdy loilg key fa desired7 a plurality of the pseu . 

erably for the complete session, can be generated in at least 30 dorandom number5 prodllced by equation 3 can be concat- 

one of four ways. Using one method the terminal takes enated ^ duce a 1(mger key If ^ pseudorandom num . 

several samples from measurements of the strength of the bers duced by cquation 3 arc t0 bc floating point numbers 

received signal, concatenates the lower order bits of the b ^^ Q Q and ^ M can be ^ {Q x The bit t(ems of such 

several samples and processes the result to produce a floati mt pseudorarjdom numbers can be ^ as sym . 

random number. Since the lower order bits of the received 35 metr j c encryption keys 

signal are well within the noise level of the received signal pscudorandom numbcr generator that can be 

a naturally occurring truly random number is generated. A used tQ Cfeate a secret key is based on an algorithm 

second random number generating method is to use the that produces pseudorandom numbers uniformly distributed 

random noise signal created at the input of an AID converter between q and \ Specifically, the seeds Xo, Y 0 and Z 0 of the 

connected to a microphone. Again, using this method, a 40 pseudo random numbers N„ are initially set to integer values 

naturally occurnng, truly random number can be generated between x and 30000 The pseudorandom num bers N M are 

for the secret key. A third random number generating method (hen calcu i ated as follows: 
is for the terminal to take samples from phase measurements 
of the received signal, concatenate the lower order bits of the 

samples, and process the result to produce a random number. 45 x m -m*QC n . x mod i77)-(2*Jir„_ 1 /i77) (4) 
A fourth random number generating method is for the 

terminal to take samples from the encoding section of the n-172'OU mod i76)-(35-r /1 . 1 yi76) (5) 

speech codec, concatenate the lower order bits of the z .i7o*(z,, m0 d i78)-(63"Z rt jus) (6) 
samples, and process the result to produce the random 

number. 50 If any of the values of X„, Y n or Z„ are less than zero, 

Alternatively, a random number generated at the terminal respectively, then X„ is set equal to X„+30269, Y„ is set 

can be used as a seed for a pseudorandom number generator. equal to Y„+30307, or Z„ is set equal to Z„+30323. The 

The seed is encrypted with the public key from the GAN, pseudorandom numbers N M are then equal to ((X M /30269+ 

and transmitted to the GAN. The seed is used simulta- Y„/30307+Z,/30323) amod 1), where X„, Y M and Z„ are 

neously in the GAN and the terminal to produce a pseudo- 55 floating point numbers, and "amod" means that these nurn- 

random number. The pseudorandom number thus generated bers can be fractions. The floating point numbers generated 

can be used by the GAN and the terminal as the secret key with this algorithm form bit patterns that are suitable for use 

for the ensuing communications session. as symmetric encryption keys. The length of such keys can 

The session key can be changed periodically to a different be extended by concatenating a plurality of the pseudoran- 

number in the pseudorandom number sequence. For 60 dom numbers generated. 

example, the session key can be changed for a number of Returning to the method illustrated by FIG. 4, at step 208, 

reasons, such as after a predetermined amount of data has preferably using the above-described RSA Algorithm, the 

been encrypted, or after traffic has been encrypted for a terminal encrypts the secret symmetric key with the public 

predetermined amount of time. The terminal or the GAN can key. For example, assume that the secret symmetric key 

initiate a change of the secret key, or the key can be changed 65 generated at the terminal is represented by the letters SK. 

according to a predetermined scheme or algorithm. For Using equation 1 of the RSA Algorithm, the secret key is 

example, a request to change the secret session key can be encrypted as follows: 
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M c mod PO^C 



where (PQ, E) represents the public key, M is equal to SK, 
and C is the encrypted version of SK. The exponent E is set 
to 3. s 

In the preferred embodiment, the terminal places the 
encrypted secret key into a message format, which includes 
a header and message field. The header provides control 
information associated with the encrypted secret key that 
follows in the message field. A bit in the header can be set J0 
to indicate that the message field that follows the header is 
encrypted. In other words, only the secret key field of the 
message is encrypted. The header of the message is trans- 
mitted in the clear. Consequently, a substantial amount of 
network processing time can be saved at the RNC, since the 15 
header indicates whether the subsequent message field is 
encrypted, and if so, only that portion of the message is to 
be decrypted. 

At step 210, the terminal (118) transmits the encrypted 
secret key (C) to the GAN via the contacted base station 2Q 
(e.g., BS(1)). In the preferred embodiment, this secret key is 
used for the ensuing communications. Alternatively, at any 
time during the ensuing communications session, the termi- 
nal can generate a new secret key, encrypt it with the public 
key, and transmit the new encrypted secret key to the GAN. 25 
The security of the session is thereby increased, because by 
reducing the amount of time that a particular secret key is 
used for a session, the likelihood that the secret key will be 
broken by an unauthorized user is also reduced. 

At step 212, the RNC (e.g., RNC(1)) receives the 3Q 
encrypted secret key (C) from the base station, and decrypts 
the secret key using the private key part of the RSA 
Algorithm. For example, using equation 2 (above) of the 
RSA Algorithm, the received encrypted secret key (C) is 
decrypted as follows: 3S 



C° mod PQ— M 

where (PQ, D) represents the private key, and M is equal to 
SK (secret key). 40 

At step 214, the ensuing radio traffic between the RNC 
and the terminal is encrypted and decrypted with the secret 
key, which is now known to both the RNC and the terminal. 
A known symmetric encryption algorithm can be used to 
encrypt and decrypt the ensuing radio traffic with the secret 45 
key, such as, for example, a one, two or three pass Data 
Encryption Standard (DES) algorithm, or a Fast Encipher- 
ment Algorithm (FEAL). 

As yet another encryption alternative, instead of using the 
RSA Algorithm to create a public/private key pair, a 50 
so-called Diffie-Hellman "exponential key exchange" algo- 
rithm can be used to let the terminal and the GAN agree on 
a secret session key. In using this encryption scheme, two 
numbers (a, q) are stored at the GAN. At the beginning of 
a communications session, the RNC transmits the two 55 
numbers directly (or broadcasts the numbers) to the termi- 
nal. The numbers a and q are required to meet the following 
criteria: q is a large prime number that defines the finite 
(Galios) field GF(q)«l, 2 . . . , q-1; and a is a fixed primitive 
element of GF(q). In other words, the exponents (x) of (a* 60 
mod q) produce all of the elements 1,2 ... , q-1 of GF(q). 
In order to generate an agreed to secret session key, the two 
numbers (a, q) are transmitted directly (or broadcast) from 
the GAN to the terminal. Alternatively, the two numbers can 
be already resident in the terminal's non-volatile memory. 65 
The terminal (118) generates the random number 
X^^Xj-cq-l), and computes the value of Y^cc^y mod q. 



The GAN (e.g., the RNC or base station) generates the 
random number X 0 (l<X G <q~l) t and computes the value of 
Y o ^0^ o mod q. The random numbers can be generated at 
the terminal using the methods described above with respect 
to generating naturally occurring, truly random numbers. 

Y r and Y c are transferred unencrypted to the respective 
GAN and terminal. Upon receipt of the number Y G , the 
terminal calculates the value of K S ~Y G X T mod q B 0^ c x T 
mod q. Upon receipt of the number Yy, the GAN calculates 
the value of K s ~Yr G mod q=ccVo mod q. The number X T 
is kept secret at the terminal, the number X<~ is kept secret 
at the GAN, but the value of K^ is now known at both the 
terminal and the GAN. The number K s is therefore used by 
both as the communications session encryption key. An 
unauthorized user would not know either X r or X^ and 
would have to compute the key K s from Y r and Y^, which 
is a prohibitive computational process. A significant security 
advantage of using the exponential key exchange algorithm 
is that the GAN is not required to maintain secret private key 
data on a permanent basis. 

In summary, when a communications session is first 
initiated between a GAN and a terminal, the terminal 
receives an asymmetric public key that has been continu- 
ously broadcast by the GAN, retrieved from the terminal's 
internal memory, or requested from the GAN. The GAN 
maintains a private key that can be used to decrypt infor- 
mation encrypted with the public key. The terminal gener- 
ates and stores a naturally occurring random number as a 
secret session (symmetric) key, encrypts the symmetric 
session key with the public key, and transmits the encrypted 
session key to the GAN. The GAN decrypts the session key 
with the private key, and both the GAN and terminal encrypt 
the ensuing communications with the secret session key, A 
primary technical advantage of transferring a public key 
from a GAN to a terminal at the onset of communications is 
that the GAN is not required to know the identity of the 
terminal in order to have encrypted communications with 
the terminal. However, a problem can arise if an unautho- 
rized user attempts to impersonate a GAN and transmits a 
public key to the terminal. In that event, as described below, 
the terminal can be configured to authenticate the received 
public key and the identity of the GAN. 

For example, when a public key is to be transferred from 
a GAN to a terminal, the key can be transferred with a public 
key "certificate". This certificate provides proof that the 
associated public key and the owner of that key are authen- 
tic. A "trusted" third party can issue the public key along 
with the certificate, which includes a "digital signature" that 
authenticates the third party's identity and the public key. 
The certificate can also contain the GAN's identity and the 
expiration date of the certificate, if any. 

In one aspect of the invention, the GAN transmits the 
certificate and public key to the terminal. In that case, the 
public key of the third party is pre-stored (a priori) at the 
subscribing terminals, 

FIG. 5 is a block diagram of a method that can be used to 
certify the authenticity of a public key and the owner of the 
key with a digital signature, in accordance with the present 
invention. The method (300) of digitally signing a public 
key certificate and verifying its authenticity begins at step 
302. At step 302, a "certificate" containing unencrypted 
information about the owner of the public key to be trans- 
ferred to a terminal is prepared by a trusted third party. The 
unencrypted information also includes the public key and 
the expiration date of the certificate. At step 304, the 
resulting "unsigned" certificate is processed with an irre- 
versible algorithm (e.g., a hashing algorithm) to produce a 
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message digest at step 306, which is a digested or shortened 2. The method according to claim 1, wherein the step of 

version of the information included on the certificate. At step storing a public key comprises the step of a priori presto ring 

308, the digest information is encrypted with a private key the public key. 

of a different public/private key pair. Preferably, an RSA 3. The method according to claim 1, further comprising 

algorithm similar to equations 1 and 2 above is used to 5 the step of transmitting said public key from said mobile 

derive this key pair. At step 310, a digitally signed public key communications network upon receiving a public key 

certificate is thereby produced that contains the originally request from said communications terminal, 

unencrypted information (including the public key to be 4. The method according to claim 3, wherein the step of 

used for the communications session) and the digest transmitting said public key further comprises the step of 

information, which is now encrypted with the certificate JQ transmitting information to authenticate said public key. 

issuer's private key. The digitally signed public key certifi- 5. The method according to claim 3, wherein the step of 

cate is then transferred to the terminal that has initiated comparing further comprises the step of transmitting said 

contact with the GAN. public key request from said communications terminal when 

At step 312, upon receiving the digitally signed said first identifier does not match said second identifier, 

certificate, the terminal's processor analyzes the unen- 6. The method according to claim 1, wherein the steps of 

crypted and encrypted portions of the document. At step 15 receiving and decrypting said encrypted secret key are 

314, the unencrypted information is processed using an performed at a radio base station in said mobile communi- 

algorithm identical to the hashing algorithm used at step cations network. 

304. At step 316, a second digested version of the unen- 7. The method according to claim 1, wherein the step of 

crypted information is produced at the terminal. At step 318, decrypting said received encrypted secret key is performed 

the terminal's processor retrieves the pre -stored certificate 20 a t a radio network controller in said mobile communications 

issuer's public key from memory, and using an RSA network. 

algorithm, decrypts the encrypted digest information from 8. The method according to claim 1, wherein said mobile 

the certificate. Another version of the unencrypted digested communications network comprises a generic communica- 

information is thereby produced at step 320. At step 322, the tions network. 

terminal compares the two versions of the unencrypted 25 9, The method according to claim 1, wherein said com- 

digested information, and if the compared information is munications terminal comprises a mobile terminal, 

identical, the certificate's signature and the session public 10. The method according to claim 1, wherein said 

key are assumed to be authentic. That certified public key communications terminal comprises a fixed terminal, 

can now be used by the terminal to encrypt the secret session 11. The method according to claim 1, wherein said mobile 

key. 30 communications network comprises a cellular phone net- 

Although a preferred embodiment of the method and work, 

apparatus of the present invention has been illustrated in the 12. The method according to claim 1, further comprising 

accompanying Drawings and described in the foregoing the steps of: 

Detailed Description, it will be understood that the invention connecting a plurality of service networks to said mobile 

is not limited to the embodiments disclosed, but is capable 35 communications network, a user of said communica- 

of numerous rearrangements, modifications and substitu- tions terminal being a subscriber to at least one of said 

tions without departing from the spirit of the invention as set plurality of service networks; and 

forth and defined by the following claims. providing a communications path between said commu- 

What is claimed is: nications terminal and said at least one of said plurality 

1. A method for encrypting communications traffic 40 Q ^ serv j ce networks, 

between a mobile communications network and a commu- 13. The method according to claim 1, wherein said private 

nications terminal, comprising the steps of: key and ^ public key are associated by an RSAAlgorithm. 

storing a public key and a first identifier associated with 14, The method according to claim 1, wherein said secret 

said mobile communications network at said commu- key comprises a symmetric encryption key. 

nications terminal; ^ 15 ^ mctnoc j accor di n g to claim 1, wherein the step of 

comparing said first identifier stored at said communica- generating a secret key comprises the step of generating a 

tions terminal with a second identifier received from naturally occurring random number, 

said mobile communications network; 16. The method according to claim 1, wherein the step of 

generating a secret key at said communications terminal generating a secret key comprises the steps of: 

when the first identifier matches the second identifier; 50 detecting a received signal in digital form at said corn- 
encrypting said secret key with said stored public key at munications terminal; and 

said communications terminal; extracting at least one low order bit from said detected 

transmitting said encrypted secret key from said commu- received signal. 

nications terminal; 55 17. The method according to claim 1, wherein the step of 

receiving said encrypted secret key at said mobile com- generating a secret key comprises the steps of: 

munications network; detecting a signal at an output of a microphone A/D 

decrypting said received encrypted secret key with a converter; and 

private key, said private key associated with said public extracting at least one low order bit from said detected 

key; 60 output signal, 

encrypting said communications traffic with said secret 18. The method according to claim 1, wherein the step of 

key; and generating a secret key comprises the steps of: 

maintaining said encrypted communications traffic detecting a signal at an output of a speech codec; and 

between said mobile communications network and said extracting at least one low order bit from said detected 

communications terminal when the mobile communi- 65 output signal. 

cations network does not know an identity of said 19. The method according to claim 1, wherein the step of 

communications terminal. generating a secret key comprises the steps of: 
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generating a seed for a pseudorandom number, and 
generating a pseudorandom number from said seed. 

20. The method according to claim 1, wherein a length of 
said secret key is predetermined at said communications 
terminal. 5 

21. The method according to claim 1, wherein said secret 
key further comprises a plurality of concatenated numbers. 

22. The method according to claim 1, wherein the step of 
storing said public key and said first identifier further 
comprises storing an expiration date associated with said 10 
public key, 

23. The method according to claim 22, wherein said 
communications terminal transmits a public key request to 
said mobile communications network if said public key has 
expired. 

24. The method according to claim 1, further comprising 15 
the steps of: 

changing said public key at said mobile communications 
network; and 

storing said changed public key at said communications 
terminal. 20 

25. The method according to claim 24, wherein the step 
of changing said public key further comprises the step of 
broadcasting said changed public key from said mobile 
communications network for a predetermined period of 
time. 25 

26. A method for encrypting traffic between a generic 
communications network and a first communications 
terminal, comprising the steps of: 

broadcasting a public key from said generic communica- 
tions network to a plurality of communications 30 
terminals, said plurality of communications terminals 
including said first communications terminal; 

generating a secret key at said first communications 
terminal; 

encrypting said secret key with said public key at said first 35 
communications terminal; 

transmitting said encrypted secret key from said first 
communications terminal; 

receiving said encrypted secret key at said generic com- 
munications network; 40 

decrypting said received encrypted secret key with a 
private key, said private key associated with said public 
key; 

encrypting said traffic with said secret key; and 
maintaining said encrypted traffic between said generic 45 
communications network and said first communica- 
tions terminal when the generic communications net- 
work does not know an identity of said first commu- 
nications terminal. 

27. The method according to claim 26, wherein the 50 
broadcasting step further comprises the steps of: 

transferring said public key from a radio network con- 
troller to at least one base station in said generic 
communications network; and 

transmitting said public key from said at least one base 55 
station. 

28. The method according to claim 26, wherein said 
broadcasting step comprises the step of transmitting said 
public key from a plurality of base stations in said generic 
communications network. 60 

29. The method according to claim 26, wherein the step 
of broadcasting said public key further comprises the step of 
broadcasting information to authenticate said public key. 

30. The method according to claim 26, wherein the step 

of broadcasting said public key further comprises the step of 65 
transmitting, on request, information to authenticate said 
public key. 



14 

31. A method for encrypting communications traffic 
between a mobile communications network and a commu- 
nications terminal, comprising the steps of: 

storing two numbers associated with a Diffie-Hellman 
exponential key exchange algorithm and a first identi- 
fier associated with said mobile communications net- 
work at said communications terminal; 

comparing said first identifier stored at said communica- 
tions terminal with a second identifier received from 
said mobile communications network; 

generating a first random number at said communications 
terminal when the first identifier matches the second 
identifier; 

generating a second random number at said mobile com- 
munications network when the first identifier matches 
the second identifier; and 

using said first and second random numbers as inputs to 
said Diffie-Hellman exponential key exchange 
algorithm, generating a third number to be used as a 
secret key by said communications terminal and said 
mobile communications network; 

encrypting said communications traffic with said secret 
key; and 

maintaining said encrypted communications traffic 
between said mobile communications network and said 
communications terminal when the mobile communi- 
cations network does not know an identity of said 
communications terminal. 

32. The method according to claim 31, wherein the step 
of storing two numbers comprises the step of a priori 
prestoring said two numbers. 

33. The method according to claim 31, further comprising 
the step of transmitting said two numbers from said mobile 
communications network upon receiving a request for said 
two numbers from said communications terminal. 

34. The method according to claim 33, wherein the step 
of comparing further comprises the step of transmitting said 
request from said communications terminal when said first 
identifier does not match said second identifier. 

35. The method according to claim 31, wherein the step 
of storing said two numbers and said first identifier further 
comprisess toring an expiration date associated with said 
two numbers. 

36. The method according to claim 35, wherein said 
communications terminal transmits a request for two new 
numbers associated with said Diffie-Hellman exponential 
key exchange algorithm if said two numbers has expired. 

37. The method according to claim 31, further comprising 
the steps of: 

changing said two numbers associated with a Diffie- 
Hellman exponential key exchange algorithm at said 
mobile communications network; and 

storing said changed two numbers at said communications 
terminal. 

38. The method according to claim 37, wherein the step 
of changing said two numbers further comprises the step of 
broadcasting said changed two numbers from said mobile 
communications network for a predetermined period of 
time. 

39. A method for encrypting traffic between a generic 
communications network and a first communications 
terminal, comprising the steps of: 

broadcasting two numbers associated with an exponential 
key exchange algorithm from said generic communi- 
cations network to a plurality of communications 
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terminals, said plurality of communications terminals second network means connected to said first network 

including said first communications terminal; means, for broadcasting said distributed public encryp- 

generating a first random number at said first communi- ^on key, said first and second network means associ- 

cations terminal* ale( * an access nerwof k of sa id generic communi - 

* t , . , . s cations network; and 

generating a second random number at said generic accegs meaQS CQUpled {Q saM ammvnicriQns 

communications network; tcrminal and assodalcd ^ said acccss nctW ork of 

using said first and second random numbers as inputs to sa id generic communications network, for receiving 

said exponential key exchange algorithm, generating a said broadcast public encryption key, generating a 

third number to be used as a secret key by said first JQ secret key, encrypting said secret key with said received 

communications terminal and said generic communi- public encryption key, transmitting said encrypted 

cations network; secret key to said generic communications network; 

encrypting said traffic with said secret key; and encrypting said traffic with said secret key; and main- 

„ , . taming said encrypted traffic between said generic 

maintaining said encrypted traffic between said generic communications network and said communications ter- 

communications network and said first communica- is mma l when the generic communications network does 

tions terminal when the generic communications net- nQt know an ideQtity of said communications terminal, 

work does not know an identity of said first commu- 42. The method according to claim 1, wherein the step of 

nications terminal. storing further comprises the step of requesting the public 

40. A system for use in encrypting traffic between a key from the mobile telecommunications network when the 
generic communications network and a communications 20 public key was not stored in the first place. 

terminal, comprising: 43. The method according to claim 1, wherein the step of 

an access network included in said generic communica- storing further comprises the step of requesting a second 

tions network- and public key from the mobile telecommunications network 

. when utilization of the stored public key is unsuccessful, 

access network means coupled to said communications ^ ^ method accordi to daim j wherein the step of 

terminal and associated with said access network, for generating a ^ml key further comprises the steps of 

storing a public encryption key associated with said generating and changing the secret key using a pseudoran- 

generic communications network, generating a secret dom num ber sequence. 

key, encrypting said secret key with said stored public 45. The method according to claim 44, wherein the step 

encryption key, transmitting said encrypted secret key 0 f changing the secret key is triggered after encrypting a 

to said generic communications network; encrypting predetermined amount of the communications traffic, 

said traffic with said secret key, and maintaining said encrypting the communications traffic for a predetermined 

encrypted traffic between said generic communications amount of time, or responding to a predefined request from 

network and said communications terminal when the the communications terminal or the mobile communications 

generic communications network does not know an network. 

identity of said communications terminal. 46. The method according to claim 1, further comprising 

41. A system for use in encrypting traffic between a the step of enabling the communications terminal to 
generic communications network and a communications generate, encrypt and transmit another secret key to the 
terminal, comprising: mobile communications network to be used instead of the 

first network means for storing a private encryption key, 4Q secret key. 
distributing a public encryption key, and decrypting an 

encrypted secret session key; ***** 
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